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IsScanningf?) see Fig. 7 
IsCodef?) seeFlg8a f b 
IsCorrelatedf?) see Fig. 9 
IsSpamf?) see Figs. 10 



3. Find spreading 
content 



(see Fig 5) 



4. Additional Checks 
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5. Is destination 
vulnerable to exploit E? 



6. If packet contents (e.g., lengths) 
reflect exploit, record exploit content 
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TO SIGNATURE BLOCKERS AND MANAGERS 

Anomalous Signatures 
(code red, mydoom, blaster) 
and Anomalous Sources and Destinations 
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Potentially take direct 
action by dropping 
packet or resetting/ 
rate limiting connection 
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Figura 2: Large Scale Indtrusion Detection Syjsttem 
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Data Reduction of Signature to String S 
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Simple Solution 



Lookup S in Signature Table 

i 
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If S is not in Table, Add entry for S with count 0 



Increment counter for S 
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If counter for S is greater than FreqThreshold then 
Add S to FreqContentTable 



Scalable Solution^ 
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Optionally use a Bloom Filter or a 

Counting Bloom Filter (Ref 13) to 

Remove content with small (e.g., 1) 
repetition count 
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^ 352 


For each stage 1 (of K stages) do 

Hash S using Hash Function 1 to 
get position K[l) 

Increment counter in position K[i] of 
Stage 1 table 






353 


If all K stage counters hashed into are greater 

than StageFreqThreshold add S to FreqContentTable 



Figuna 3: This figure shows the details of Block 215 of the LSIDS system of Figure 2. It sieves out frequent signatures 
far- entry Into the RrequentOantentTable. Two alternatives are described, a simple version and a scalable version. 
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Figure 4: Ta identify frequent content! using only a small amount ofl memory, a packet with content CI is Hashed 
using hash function ho&M- into a 9tage I hash table, hashl into a Stage 2 hash table, etc. Bach of the hash buckets 
contain a counter, that is incremented byj 1. If all the hash buckiet counters are above the threshold (shown black), 
then content C is passed to the frequent content table for more careftjl observation. 



General Signature = Any subset of TCP payload and header 



PayloadSignature = TCP Payload + TCP DestinationPort 
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OffsetSignature = Any continuous portion in payload + TCP Destination Port 
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MultiSignature = One or more continuous portions of payload + TCP Destination Port 
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Figure 5: This figure shows Che details of Block 205 of the USID9 system of Figure 2. 
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When string S is added to FreqContentTable 



Figure 6a 



Initialize SourceBitMap andDstBitMap to zeroes and SourceScale to SThreshBits and DestScale to DThreshBits 



When processing a packet with hashed signature S 



Lookup entry for S in FreqContentTable, skip remaining steps if not found 
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Hash Source IP Address of Packet toaW bit number Shash 
Let r be the number of bits in SourceBitMap corresponding to S 
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If all bits in SHash from positions r+1 through r+ SourceScale are all 0 then 
Set position x in SourceBitMap to 1 where x is low order r bits of SHash 



J 



660 



Figure 6c 



Hash Destination IP Address of Packet toaW bit number Dhash 
Let t be the number of bits inDestBitMap corresponding to S 
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If all bits in DHash from positions r+ 1 through t + DestScale are all 0 then 
Set position y in DestBitMap to 1 where y is low order r bits of DHash 
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If bits set in SourceBitMap * 2 ^SourceScale - 1) >Jk>urce$Threshold anc 
< in DestBitMap 2 ^SourceScale -1)>D^~ 

\ Aad signature Sao suspicmtslatile if not therey 

Log SourceCount and De^ountte.entry in Suspicion 

Initialize Sou/ceBitMap and OestBitMaf>tor S to < 

Increment pourceScale ana DestScaleto allow counting twice as much next time 





Figiine 6: This figure shows the details of block 230 of the USIDS system of Figure 2. It shows how frequent 
signatures are checked for/ signs of large scale invotlvement and rising infection levels. Such signatures are entered In 
the suspicious signature t ihle and their sauroe count and destination counts are lagged to record the progress of the 
Infection. 
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Test for Content that Scans 



If source address of Packet containing suspicious signature S is in Blacklist 
Hash source address into a position S 

Set Position S in SpreadBitMap corresponding to S in Suspicion Table 
Increment UnusedProbes corresponding to S 
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// Number of Bits Set in SpreadBitMap > SpreadThresh 1 
and UnusedProbes > ScanThresh2 then 

Report Scan(S) as True; 



Figure 7: Soan test as part of the further tests (245) of the LSIDS system of Figure 2 



Figure 8a 



Packet Code Test 



For every offset O from 0 to PacketLength - N run the CodeTest 
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If T offsets pass the OffsetCodeTest report positive 
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Figure 8b 



OffsetCodeTest at Offset O for Length N 

\S 850 



LengthTested = 0 



Repeat until Length > N 
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Lookup Byte at Offset O + Length in OpCodeTable(s) 



T 
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If OpCodeTable says Invalid report "Code Test Failed" and Exit 

♦ 
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If OpCodeTable Entry is Valid increment LengthTested by OpCodeTable Entry Length Value 



Figure 8: Code test as Rar.t of ftjrthen tests (245) of the USIDS system of Figure 2 
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When string S is added to FreqContentTable 




y/O When P rocessin 9 a packet with hashed signature S 
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Lookup entry for S in FreqContentTable, skip remaining steps if not found 
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Hash Source IP Address of Packet toaW bit number Shash 
Let r be the number of bits in SourceCorBitMap corresponding to S 



^s> If all bits in SHash from positions r+ 1 and higher are all 0 then 

Set position x in Sou rceCorBitMap to 1 where x is low order r bits of SHash 



Hash Destination IP Address of Packet toaW bit number Dhash 
Let t be the number of bits in DestCorBitMap corresponding to S 

i. 



^ If all bits in DHash from positions r+ 1 and higher are all 0 then 

Set position y in DestCorBitMap to 1 where y is low order r bits of DHash 
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> If the number of common bit 
and the DstCorBitMap for la, 

cor 


positions in SrcCorBitMap for this interval 
st interval is > CorThreshold, then S passes the 
relation test 



At end of interval for every suspicious signature S 
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Log SrcCorBitMap and DstCorBitMap 

Initialize SourceCorBitMap and DstCorBitMap to zeroes 



Figure (5: Correlation test as Rart! orfi the further tests (J245) of the USIDS system ofi Figure 2 
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If Signature S passes a Bayesian Spam test^hjakeu^ 
report that S passes the spam test 

Figuna 1:0: Spam test as part of the further tests (245) of the LSID9 syjstem of Figure 2 
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